Traditional large language models struggle to directly process raw bytes of executable files, limiting their applicability to binary understanding tasks such as malware analysis. This work proposes the first large language model natively designed for byte-level input, integrating a custom byte tokenizer, byte-level language modeling, and injection of binary-domain knowledge to enable semantic understanding and question answering over compiled code. Experimental results demonstrate that the proposed approach achieves 69% accuracy in malware family classification and 98% accuracy in architecture classification, substantially outperforming general-purpose large language models. These findings underscore the effectiveness and necessity of native byte-level modeling combined with domain-specific knowledge for advancing binary analysis capabilities.

Malware analysis starts with the raw bytes of an executable program, and tools to "lift" these to higher-level representations, such as assembly, are expensive and subject to error. Large Language Models (LLMs) cannot process raw byte representations and answer questions about them. To this end, we present the first byte-native LLM. Based on a vocabulary expansion technique using a bespoke byte tokenizer, such a model is capable of responding to complex questions about malware binaries, with accuracies ranging from 69% for malware family classification to 98% for architecture classification. Our findings indicate that providing domain knowledge during training is essential for this application -- off-the-shelf models lack both accuracy and insight. We've deployed this emerging solution to a limited number of analysts to gather feedback for further improvements.